0

Given is the following network setup:

┌192.168.1.10    Windows Server (WAN)
│
└192.168.1.100   Router         (WAN)
  192.168.0.1    Router         (LAN)
  │
  └192.168.0.x   Windows Client (LAN)

WAN area: 192.168.1.x.

LAN area: 192.168.0.x.

Those areas are separated by the router.

As you can see the Client is located in the LAN area, and connected to the WAN area through a router. The Server is located at the WAN area. What I want to do is enable the Client (which is running Windows 7) to do authentication via Kerberos with the Server (Windows Server 2003).

Many websites telling me I need to enable TCP und UDP port 88 in the router firewall to use Kerberos. Of course, this only makes sense if the server is behind a firewall. But in this case the client(s) is (are) behind a firewall.

I tried to use the lmhosts-file on the client to specify the IP addresses of my Windows Server, but it doesn't work. I am able to do the windows logon on my client using the domain user and password. But when I want to access a network share, for example, I get an error message and I am prompted to do the authentication again.

My question: What configuration do I need to authenticate to the Windows Domain correctly and use the network share without having to re-authenticate?

user3297416
  • 423
  • Are you only interested in connecting the client to an SMB share on the server that you can authenticate with Kerberos? Or are you needing more than that? – I say Reinstate Monica Oct 19 '17 at 12:54
  • Connecting to an SMB share is everything I need, but without re-authentication after the login. I know that I can mount a network drive with a batch script, but that's not a good solution in my opinion... – user3297416 Oct 19 '17 at 14:32
  • You will also need TCP 445 for SMB in addition to Kerberos, I'm thinking based on the description. Ensure you set the rule up correctly so that the communication must originate from a client behind the firewalled network to be allowed to pass. Allowing external people into an SMB share could be dangerous.

    https://serverfault.com/questions/346196/tcp-ip-ports-necessary-for-cifs-smb-operation

    Depending on your FW configuration this might not be necessary since many default to outbound ports all being allowed, but of course it depends on what you've done with the firewalled area. :)

     – Kyp Oct 20 '17 at 23:00

0 Answers0